API Authentication and Security

Accessing the authID platform APIs requires Bearer authentication, also known as token authentication.

Identity Service must be used to exchange the API Key/Value pair for the Bearer Access/Refresh token pair.


Encryption Required

Encrypted connection (HTTPS/TLS) is required to access authID.ai Verified platform.

Create API Key

Access to the authID Identity Portal is provided using passwordless credentials with cloud biometric authentication for credential recovery.  These are user credentials and cannot be used for machine-to-machine API authentication. This is by design. Machine-to-machine authentication is provided via authID API keys.

To generate API Keys: in the Identity Portal - go to Settings -> My APIKeys and create an API Key. This will generate an API Key ID / Value pair. Ensure to copy and save the API Key Value securely, there is no way to restore this value after the page is closed.

A developer can test the generated machine-to-machine credentials using the Swagger UI of Token Endpoint.

  • On the top right of the page, click Authorize
  • Paste API Key ID into Username: field
  • Paste API Key Value into Password: field
  • Click Authorize
  • In the POST /v1/auth/token call Swagger UI click Try it out and then Execute

Getting Access / Refresh Tokens

To obtain a token for authID APIs, a developer must provide the API Key ID and API Key Value into the Basic Authorization header of the HTTP request to the Identity Service Token endpoint.

I.e. the client code must send HTTP requests with the Authorization header that contains the word Basic followed by a space and a base64-encoded string apiKeyId:apiKeyValue

btoa("apiKeyId:apiKeyValue") // output is YXBpS2V5SWQ6YXBpS2V5VmFsdWU=

Next, call the POST token endpoint and add the following header value:

curl -X POST "https://id.authid.ai/IDCompleteBackendEngine/IdentityService/v1/auth/token" -H  "accept: application/json" -H  "Authorization: Basic YXBpS2V5SWQ6YXBpS2V5VmFsdWU=" -d ""

Parse the JSON received and save AccessToken and RefreshToken values.